Thunderbid has an account setting option that is labeled as: "Reply from this identity when delivery headers match [ ]". When used incorrectly, this option can result in the From header being set to another person's name. The option should be reworded to make this clear.
Context: When I saw the option, I assumed that it allowed me to specify that Thunderbird should default to sending replies from this identity when receiving a message from an address matching the pattern. So it could for instance be used to make sure I always use my work email when replying to mails that come from a specific domain (e.g. my work domain).
But that's not what it does. What it actually does is this: when replying to an email sent to an address matching the pattern, it will sent the sender address to the address the original message was sent to. As I learned the hard way, it is intended for use with a catch-all pattern: if you receive all mail going to any address matching *.foodomain.test, then this setting allows you to have the sender set to info@foodomain.test when replying to an email sent to info@foodomain.test, to help@foodmain.com when someone mails help@foodomain.com, etc. For handling a catch-all, this makes sense. However, if you use it with a pattern that you don't own as a catch all, this will result in you apparently spoofing the recipient! In my case, I tied to reply to an email that was addressed to my boss, with an internal mailing list in CC. Since the To field matched the pattern, Thunderbird set the From header to the original recipient's address and name - so when I sent an email to the list, I was apparently impersonating my boss. NOT GOOD. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1794989, which was closed as invalid, since it's not a bug, just me misunderstanding what the setting does. I'd like to suggest to improve the wording to avoid this kind of problem for others... If I understand correctly, it's not at all about replying "from this identity", but setting the sender to the address of the original recipient. So I'd suggest the following wording: "When replying to messages that were send to an address matching the following catch-all pattern, use that address as the sender". Given the very odd effect this setting has when used inappropriately, it should probably also come with a warning like "Only use this if all addresses that match this pattern are yours!"
... View more